Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 21:47
General
-
Target
6e2bcebf71808ca154b1363897c14856a0ff881772f5bb46734ea7ea3c5323c1.exe
-
Size
176KB
-
MD5
26f4cc3c95c00b556e7386913606cfd9
-
SHA1
9330a00293383c077ad94faaf3f2faf4c1f8158a
-
SHA256
6e2bcebf71808ca154b1363897c14856a0ff881772f5bb46734ea7ea3c5323c1
-
SHA512
aa69c0eca77864716288f2073f33f6a75e3e153f10337a994b353988f9f2636381bfbc04dc1705655980e22436b7b8d2e29a911989fa721580f9ac53ee49dc29
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 20 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: RenamesItself 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\6e2bcebf71808ca154b1363897c14856a0ff881772f5bb46734ea7ea3c5323c1.exe"C:\Users\Admin\AppData\Local\Temp\6e2bcebf71808ca154b1363897c14856a0ff881772f5bb46734ea7ea3c5323c1.exe"2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\6400.vbs"3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\SysWOW64\BRemotes.exeC:\Windows\SysWOW64\BRemotes.exe1⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500B
MD595d9f635fa98860eeb48fc3952eb451b
SHA116df616dd2e833a0ee272509c3241a8081a07445
SHA256b181f1f2e4128cae544a9d9f8117bbaabff398ddd0b0865196b30cce65e0d103
SHA5127242b0132018fcacc2bcc4be0bb8274e4e7713d0f3468ac7febf598ef43775034bd7b857e41fd205047f21788bbeba56f902cce222e4b2c8bcbc246fd2776383
-
Filesize
255B
MD5c2ddf3f7b5b6605c578896d5414edd6c
SHA123f26424ca67bcd53753d040eb053252cf368d2a
SHA256819d8ae1c401feab55f98947cf4290383ee0bd7725678ac4d0f1047e4113a7ca
SHA5127b999834fa53f6b87455d2543ccf67caab60061416cc62a028336aec9b2b2a4904b1beee649b22c1de305384a68ff234311734faaef67ebec902f64a04efb5ae
-
Filesize
16.6MB
-
Filesize
176KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
176KB
-
Filesize
16.6MB
-